|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Soeren Ziehe (robinton_at_gmx.de)
Date: Fri Sep 06 2002 - 03:44:00 CDT
In article <1031192635.27151.37.camel
bloodnock> [05 Sep 02]
Russell Fulton <r.fultonauckland.ac.nz> wrote:
> Am I right in assuming that this just more spammers looking for
> places to launder mail or is it more sinister than that? I.e. do
> we believe the 'arbitrary command execution attempt' bit?
Spammers looking for vulnerable formmail versions.
For the last months they've been looking for
/cgi-bin/formmail.pl
/cgi-bin/formmail.cgi
/cgi-local/formmail.pl
/cgi-local/formmail.cgi
Since last week I also see probes for
/cgi-bin/FormMail.pl
/cgi-bin/FormMail.cgi
We had 2 incidents in our network were "older" (1.6 - latest is 1.92)
installations were detected in "non-standard" locations.
For one incident I've got log data. The attack consisted of coordinated
accesses from several locations worlwide. (br, us, de, edu, jp, ...).
After disabling the script (ca. 3h into the attack) these distributed
attacks continued for about 18 hours.
Address restrictions were circumvented by using
"<recipientexample.com>www.victim.com" style recipient addresses.
No hard evidence, but I suspect the following:
- the spammers may be looking actively for forms and associated scripts
by spidering websites
- the spammers may command "bot nets" or distributed cracked and
compromised hosts, which then are used to send out spam.
Robinton
-- Origin: Die Antwort lautet 41.735979 ! ;-)---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]